tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 9027] New: - The Tomcat Servlet Container use the identity specified in a servlet with the element <run-as> for every web component.
Date Mon, 13 May 2002 11:49:13 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9027>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9027

The Tomcat Servlet Container use the identity specified in a servlet with the element <run-as>
for every web component.

           Summary: The Tomcat Servlet Container use the identity specified
                    in a servlet with the element <run-as> for every web
                    component.
           Product: Tomcat 4
           Version: 4.0.1 Final
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: Servlet & JSP API
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: markus.ide@ejbguru.de


The Tomcat Servlet Container use the identity specified in a servlet with the 
element <run-as> for every web component.
This identity should only be used for calls in the specified servlet and not 
for calls in other web components. In my opinion this is a fatal error.

The following test szenario could be used to detect the error (I use the J2EE 
Reference Implementation from Sun).

1.) create an EJB archive with the session bean TestEJB
2.) insert the JSP test.jsp and testRunAs.jsp in an web-archive
3.) modify the security for the JSP shown in the deployment descriptor web.xml 
4.) modify the caller-id of the JSP testRunAs.jsp to the role 'eng' and the 
user 'scott'
5.) deploy the application
6.) request the test.jsp and testRunAs.jsp with the username j2ee/j2ee. The 
caller of the EJB is always the one, who is specified for testRunAs.jsp, that 
means 'scott'. A request to test.jsp should use the authenticated user (j2ee).

-----------------------------------------------------------------
JSP Testfile: 'test.jsp'
-----------------------------------------------------------------
<html>
  <head>
    <title>test</title>
    <%@ page import="de.j2eeguru.example.Test" %>
    <%@ page import="de.j2eeguru.example.TestHome" %>
    <%@ page import="javax.naming.InitialContext" %>
    <%@ page import="javax.rmi.PortableRemoteObject" %>
  </head>
  <body>
    <p>Identity of the user in test.jsp: <%= request.getRemoteUser() %></p>
    <p>
      Identity of the EJB caller:
    <%
      String callerID="???";

      try
      {
        // JNDI-Kontext ermitteln
        InitialContext ctx = new InitialContext();

        // JNDI-Namen nachschlagen
        Object ref = ctx.lookup("de/ejbguru/test");

        // in Home-Interface umwandeln
        TestHome testHome = (TestHome)
           PortableRemoteObject.narrow(ref, TestHome.class);

        // EJB erzeugen und Referenz auf Remote-Interface ermitteln
        Test test = testHome.create();

        // Business-Methode vom EJB ausführen
        callerID = test.getUserName();

        // Remote-Interface wird nicht mehr benötigt
        test.remove();
      }
      catch(Exception ex)
      {
        ex.printStackTrace();
        callerID = "Fehler aufgetreten:" + ex.getMessage();
      }
    %>

    <%= callerID %>
    </p>
  </body>
</html>

-----------------------------------------------------------------
JSP Testfile: 'testRunAs.jsp'  (in fact the same as test.jsp)
-----------------------------------------------------------------
<html>
  <head>
    <title>test</title>
    <%@ page import="de.j2eeguru.example.Test" %>
    <%@ page import="de.j2eeguru.example.TestHome" %>
    <%@ page import="javax.naming.InitialContext" %>
    <%@ page import="javax.rmi.PortableRemoteObject" %>
  </head>
  <body>
    <p>Identity of the user in testRunAs.jsp: <%= request.getRemoteUser() %></p>
    <p>
      Identity of the EJB caller:
    <%
      String callerID="???";

      try
      {
        // JNDI-Kontext ermitteln
        InitialContext ctx = new InitialContext();

        // JNDI-Namen nachschlagen
        Object ref = ctx.lookup("de/ejbguru/test");

        // in Home-Interface umwandeln
        TestHome testHome = (TestHome)
           PortableRemoteObject.narrow(ref, TestHome.class);

        // EJB erzeugen und Referenz auf Remote-Interface ermitteln
        Test test = testHome.create();

        // Business-Methode vom EJB ausführen
        callerID = test.getUserName();

        // Remote-Interface wird nicht mehr benötigt
        test.remove();
      }
      catch(Exception ex)
      {
        ex.printStackTrace();
        callerID = "Fehler aufgetreten:" + ex.getMessage();
      }
    %>

    <%= callerID %>
    </p>
  </body>
</html>

-----------------------------------------------------------------
WEB.XML:
-----------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 
2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd'>

<web-app>
  <display-name>RunAsWebApp</display-name>
  <servlet>
    <servlet-name>test</servlet-name>
    <display-name>test</display-name>
    <jsp-file>/test.jsp</jsp-file>
  </servlet>
  <servlet>
    <servlet-name>testRunAs</servlet-name>
    <display-name>testRunAs</display-name>
    <jsp-file>/testRunAs.jsp</jsp-file>
    <run-as>
      <role-name>eng</role-name>
    </run-as>
  </servlet>
  <session-config>
    <session-timeout>30</session-timeout>
  </session-config>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>WRCollection</web-resource-name>
      <url-pattern>/test.jsp</url-pattern>
      <url-pattern>/testRunAs.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>mgr</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Default</realm-name>
  </login-config>
  <security-role>
    <role-name>eng</role-name>
  </security-role>
  <security-role>
    <role-name>mgr</role-name>
  </security-role>
</web-app>

-----------------------------------------------------------------
TestEJB.java
-----------------------------------------------------------------
package de.j2eeguru.example;

import javax.ejb.SessionBean;
import javax.ejb.EJBException;
import javax.ejb.CreateException;
import javax.ejb.SessionContext;

/*
 * Stateless-Session-Bean 'TestEJB'
 */
public class TestEJB implements SessionBean
{
  private SessionContext sctx = null;

  //------------------------------------------------------------
  //          Implementierung der Business-Methoden
  //------------------------------------------------------------
  public String getUserName()
  {
    return sctx.getCallerPrincipal().getName();
  }

  //------------------------------------------------------------
  //          Implementierung der create-Methode
  //------------------------------------------------------------
  public void ejbCreate() throws CreateException  {  }

  //------------------------------------------------------------
  //   Implementierung des Interface 'javax.ejb.SessionBean'
  //------------------------------------------------------------
  public void setSessionContext( SessionContext sctx )  { this.sctx = sctx; }
  public void ejbRemove()     {  }
  public void ejbActivate()   {  }
  public void ejbPassivate()  {  }
}

-----------------------------------------------------------------
TestEJB.java
-----------------------------------------------------------------
package de.j2eeguru.example;

import java.rmi.RemoteException;
import javax.ejb.EJBObject;

/*
 * Remote-Interface für das Session-Bean 'TestEJB'
 */
public interface Test extends EJBObject
{
  public String getUserName() throws RemoteException;
}

-----------------------------------------------------------------
TestHomeEJB.java
-----------------------------------------------------------------
package de.j2eeguru.example;

import java.rmi.RemoteException;

import javax.ejb.EJBHome;
import javax.ejb.CreateException;

/**
 * Home-Interface für das Session-Bean 'TestEJB'.
 */
public interface TestHome extends EJBHome
{
  public Test create() throws CreateException, RemoteException;
}

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message